Published by Al Saikali

Breach Notification Statutes

Subscribe to Breach Notification Statutes

My last post described what the recently passed Florida Information Protection Act (FIPA) will do.  This post analyzes how FIPA differs from Florida’s existing breach notification law and explains why those differences will hurt or help companies that maintain information about Florida residents.  Florida’s Governor must still sign the FIPA into law, but his signature is expected given the unanimous support of FIPA in the state legislature.  Once signed, the law will go into effect on July 1, 2014.  So what do businesses need to know about FIPA?

Attorney General Notification

The first significant difference between FIPA and Florida’s existing breach notification law is that, with some limited exceptions, breached entities will be required to notify Florida’s Attorney General within 30 days of any breach that affects more than 500 Florida residents.  Until now, Florida has been part of the majority of states that does not require notice of a breach to the state Attorney General.

The law also requires breached entities to notify the Attorney General’s office even when the entities decide notification to affected consumers is not necessary because the breach will not likely result in harm to affected individuals.  It remains to be seen whether this change in the law will result in a flood of “non-notifications” to the Attorney General’s office.

The FIPA provides teeth for the Attorney General’s Office to enforce it.  A violation of FIPA may be automatically considered a violation of Florida’s Deceptive and Unfair Trade Practices Act.  Though the FIPA does not create a private cause of action, we could see the Attorney General actively enforce the law against breached entities that fail to meet the law’s requirements.

Broader Definition of PII

Another significant change in Florida law as a result of the FIPA is the expansion of the definition of personally identifiable information (PII). PII will now include the username or email address in combination with a password or security questions and answer that would permit access to an online account.  This change is based on a realization that consumers are increasingly storing information online and, unfortunately, often using the same usernames and passwords.  The net result, however, will be an increased number of data breaches under the law.

Shortening the Breach Notification Period

FIPA also shortens the time a breached entity has to notify affected individuals of a breach.  Currently, breached entities must notify affected individuals “without unreasonable delay” but they have up to 45 days.  The new law requires breached entities to notify affected individuals “as expeditiously as practicable, but no later than 30 days after the determination of the breach or reason to believe a breach occurred,” unless a waiver or authorized delay is issued.

This change raises a couple of concerns for breached entities.  First, while in most instances 30 days may be enough time to notify affected individuals of a breach, in some cases that will not be enough time.  There are many steps that must take place as part of the notification process, including determining the source and scope of the instruction, identifying what information is affected, identifying who is affected and where they live, and ensuring that the threat is no longer in existence.  Adopting a bright line deadline may end up punishing breached entities that are working as quickly as possible to respond to a breach.

Second, it is not clear under the FIPA what starts the clock running on the 30 days.  When is “determination of the breach” triggered?  Is it when the breached entity reasonably believes an intrusion has occurred?  Is it when the entity knows that PII has been affected?  Is it when the entity knows whose PII has been affected?  I would argue that clock shouldn’t start running until the entity knows that the PII of a Florida resident has been affected, but we are left to guess how regulators will interpret this requirement.

Notification by Email

A welcome change that the FIPA will usher in is breach notification by email.  This will help significantly reduce the cost of breach notification in matters that involve a large number of Florida consumers.  It is also recognition that the best contact information a company may have for its customers is their email address.

Be prepared to turn over your incident and forensic reports

Perhaps the most significant change is that the FIPA purports to require breached entities to provide incident reports, data forensic reports, and the company’s policies in place regarding breaches, if the Florida Attorney General’s Office requests them.  These documents sometimes contain unintentionally damaging statements or proprietary information about a company’s security infrastructure that the company would not want to be made public.  And, once disclosed to the Attorney General’s office, the documents may become subject to a public records request, though this bill (which also awaits the Governor’s signature) tries to limit that risk?  As a result of this change, we could see breached entities either not requesting reports at all (out of concern that they will have to disclose them to third parties), or requesting two versions – a sanitized version that contains little information and can be produced to the Attorney General, and a more fulsome version for internal use.  Either result could not have been what the legislature intended when it passed this law.  It will also be interesting to see how the FIPA will affect the work product and self-critical analysis privileges that apply to data forensic reports prepared at the direction of counsel.

Proactive Security Requirements

The FIPA adds a new type of protection of PII:  it requires that an entity maintaining PII adopt “reasonable measures” to protect and secure the PII.  With this change, Florida joins the minority of jurisdictions that statutorily require entities maintaining PII to adopt safeguards regardless of whether the entity ever suffers a breach.  To be sure, adopting safeguards to protect PII is a good idea regardless of whether it is statutorily required, and the failure to adopt those safeguards could expose a company to an enforcement action by the FTC or state attorney general under the FTC Act or “little FTC Acts,” respectively, even in states where those safeguards are not required.  But the FIPA provides no guidance as to what is meant by “reasonable measures.”  Does this mean encryption?  Password protection?  Are written policies and training required?  Does it differ depending on the size of the breached entity?  Again, we are left to guess.

Some Final Observations

A few closing observations about the FIPA:

  • The definition of a breach is still limited to electronic personal information; so a breach involving purely paper records may not trigger the statute.
  • A violation of the statute is automatically considered a violation of Florida’s Deceptive and Unfair Trade Practices Act, but that violation appears to be enforceable only by the Florida Attorney General and not a private cause of action.
  • A breach now means unauthorized “access” of PII, where before it was defined as unauthorized “acquisition” of PII.  This change broadens the number of scenarios that could be considered a breach.

In short, the FIPA is generally a consumer-friendly law that will increase the number of breaches that require notification, shorten the time by which notification must take place, require that the Attorney General be included in the breach notification process, and demand that companies adopt security safeguards to protect PII regardless of whether they ever suffer a breach.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

The Florida Legislature recently passed the Florida Information Protection Act of 2014 (FIPA).  This post describes the FIPA and analyzes the advantages and disadvantages to businesses governed by the new law.  The FIPA must still be signed by the Governor, but the law received unanimous support in the legislature, so his signature is expected.  Once signed, the law would go into effect in a less than two months.

What is the FIPA?  The FIPA will replace Florida’s existing data breach notification law.  It has a reactive component (what companies must do after a breach) and a proactive component (what companies must do to protect personally identifiable information they control regardless of whether they ever suffer a breach).  The FIPA governs “covered entities.”  A covered entity is a commercial entity that acquires, maintains, stores or uses personally identifiable information.  A “breach” triggering the FIPA is the unauthorized access of data in electronic form containing personally identifiable information (PII).  The FIPA applies only to PII in electronic form, though an argument can be made that the secure disposal requirement under the FIPA applies to PII in any form given its use of the term “shredding.”

What is PII?  PII is defined as a first name or first initial and last name in combination with any of the following:

  • social security number;
  • driver’s license or ID card number, passport number, military identification number, or other similar number issued on a government document used to verify identity;
  • a financial account number or credit or debit card number, in combination with any required security code, access code, or password that is necessary to permit access to an individual’s financial account;
  • information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; or
  • an individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual.

PII also includes a username or email address in combination with a password or security question and answer that would permit access to an online account.  The FIPA does not apply to PII that is encrypted, secured, or modified such that the PII is rendered unusable.

Do covered entities have to notify the Florida Attorney General’s Office of a breach?  Yes.  Covered entities must notify Florida’s Department of Legal Affairs (i.e., the Florida Office of the Attorney General) of any breach that affects more than 500 people.  Notice must be provided as expeditiously as practicable, but no later than 30 days after determination of the breach or reason to believe a breach occurred.  An additional 15 days is permitted if good cause for delay is provided in writing to the Attorney General within 30 days after determination of the breach or reason to believe a breach occurred.

The notice to the Attorney General must include:

  • a synopsis of the events surrounding the breach;
  • the number of affected Floridians;
  • any services related to the breach being offered without charge to the affected individuals (e.g., credit monitoring) and instructions as to how to use such services;
  • a copy of the notice sent to affected individuals or an explanation as to why such notice was not provided (e.g., there was no risk of financial harm); and
  • the name, address, telephone number, and email address of the employee or agent of the covered entity from whom additional information may be obtained about the breach.

Additionally, if the Attorney General asks for any of the following, the covered entity must provide it:

  • a police report
  • an incident report
  • a computer forensics report
  • a copy of the policies in place regarding breaches
  • steps that have been taken to rectify the breach

When must affected individuals be notified?  Notice to affected individuals must be made as expeditiously as practicable and without unreasonable delay.  The law allows covered entities to take into account the time necessary to allow the covered entity to determine the scope of the breach of security, to identify individuals affected by the breach, and to restore the reasonable integrity of the data system that was breached.  But even with those considerations, notice to affected individuals cannot take longer than 30 days after determining or having a reason to believe that a breach has occurred.

Two exceptions can permissibly delay or eliminate the obligation to notify affected individuals.  One exception is an authorized delay, which occurs when law enforcement determines that notice to individuals would interfere with a criminal investigation.  The determination must be in writing and must provide a specified period for the delay, based on what law enforcement determines to be reasonably necessary.  The delay may be shortened or extended at the discretion of law enforcement.

The second exception is a waiver, which occurs where, after an investigation and consultation with law enforcement, the covered entity reasonably determines that the breach has not and will not likely result in identity theft or any other financial harm to the affected individuals.  If a waiver applies, the covered entity must document it, maintain the documentation for five years, and provide the documentation to the Attorney General within 30 days after the determination.

How must notice to affected individuals take place and what must it include?  Direct notice to affected individuals can take one of two forms:  it can be in writing (sent to the mailing address of the individual in the records of the covered entity) or it can be by email to the email address of the individual in the records of the covered entity.  In either form, the notice must include:  (a) the date, estimated date, or estimated date range of the breach; (b) a description of the PII that was accessed; and, (c) information that the individual can use to contact the covered entity to inquire about the breach and the PII that the covered entity maintained about the individual.

Can a covered entity provide substitute notice to affected individuals?  If the cost of direct notice would exceed $250,000, more than 500,000 individuals are affected, or the covered entity does not have a mailing or email address for the affected individuals, then substitute notice can be provided.  The substitute notice must include a conspicuous notice on the covered entity’s website and notice in print and to broadcast media where the affected individuals reside.

What if the covered entity is governed by HIPAA or some other federal regulations?  Notice provided pursuant to rules, regulations, procedures, or guidelines established by the covered entity’s primary or functional federal regulator is deemed to be in compliance with the notice requirement to individuals under the FIPA. However, a copy of that notice must be timely provided to the Attorney General.  For example, if a company is governed by HIPAA, then their notice pursuant to the Breach Notification Rule will be sufficient to meet the requirements under the FIPA, but a copy of that notice still must be sent to the Attorney General.

Do covered entities have to notify credit reporting agencies?  If more than 1,000 individuals are affected, then notice to all consumer reporting agencies must be provided without unreasonably delay.

What if the breach occurs with a third-party agent (e.g., a vendor)?  A third-party agent is an entity that has been contracted to maintain, store, or process PII on behalf of a covered entity or governmental entity.  If a third-party agent suffers a breach, it must notify the covered entity within 10 days following the determination of the breach or reason to believe the breach occurred.  Upon receiving notice of the breach, the covered entity must then comply with the requirements to notify affected individuals and the Attorney General.  In that case, the third-party agent must provide all information necessary for the covered entity to comply with its notice requirements.  The third-party agent may notify affected individuals and the Attorney General on behalf of the covered entity, but the agent’s failure to provide proper notice is deemed a violation against the covered entity.

Are there obligations other than notification after a breach?  In addition to the reactive component of the FIPA (actions covered entities must take after a data breach), the FIPA also has a proactive component that imposes obligations on covered entities regardless of whether they ever suffer a breach.  Specifically, covered entities must take reasonable measures to protect and secure PII.  Covered entities must also take reasonable measures to dispose, or arrange for the disposal, of customer records containing PII within their custody or control when the records are no longer to be retained.  Such disposal must involve shredding, erasing, or otherwise modifying the PII in the records to make it unreadable or undecipherable through any means.

Who enforces the FIPA and how?  A violation of the FIPA is an unfair or deceptive trade practice subject to an action by the Attorney General under Florida’s Deceptive and Unfair Trade Practices Act against the covered entity or third-party agent.  A covered entity that does not properly notify affected individuals or the Attorney General may be fined up to $500,000 per breach, depending on the number of days in which the covered entity is in violation of the FIPA.  The law creates no private cause of action, nor does the presumed FDUTPA violation for the Attorney General appear to apply to a private action under FDUTPA.

The law will become effective on July 1, 2014 if it is signed by the Governor.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.